This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Washington DC Archives
August 20th 6:30pm OWASP Meeting, Washington DC
This month we will be holding our meeting at the DC offices of Deloitte & Touche (1001 G St NW Washington DC 20001).
The meeting will start at 1830. Upon arriving, please go to the 9th floor and sign in, someone will escort you to the meeting location, Rm. 8S026. If you are late and can not get in, please call 202.270.8715.
This month, our agenda is as follows:
- Introduction to OWASP, Rex Booth
- The Big Picture: Web Risks and Assessments Beyond Scanning, Matt Fisher
- Security Conference Review: Black Hat & DefCon (group discussion)
- Open floor
Matt's talk will focus on the need to risk and threat model software and pick appropriate peoples, tools, and testing techniques to test against the threat model. In today's resource-constrained market many organizations are simply turning to automation to test their software security without truly understanding the limitations. This talk will discuss some of the broader threat cases, testing techniques for them, and whether current state of the industry technology is effective against them.
July 23rd 6:30pm OWASP Meeting, Washington DC (Alexandria)
This month we will be holding our meeting at the Alexandria offices of Grant Thornton (333 John Carlyle Street Suite 500 Alexandria VA).
The meeting will start at 1830. If you are late and can not get in, please call 703.785.9390.
The presentation for this meeting will be a reprise of Mark and Doug's Web Application Security and Why It Matters talk, which was suggested/requested at the last meeting in Alexandria. The presentation will cover the topics of the OWASP Top 10 and include demonstrations of exploits of the Top 5. This is geared towards newcomers to OWASP, but we hope that all members in the DC Metro area will attend if they have a chance. We also hope to give the DC crowd a "state of the chapter" like we did at the last meeting Columbia, and then open discussion of current events and/or any particular topics of interest will follow.
The presentation can be found here.
June 11th 6:30pm OWASP Meeting, Columbia MD
This month we will be holding our meeting in Columbia MD at Aspect Securities offices (9175 Guilford Rd, Ste 300, Columbia, MD 21046). The meeting will start at 1830. If you are late to the meeting and can not get in the door please call 301-604-4882, or hack the door. The meeting will focus on HTTP Verb Tampering and authentication bypass with other topics as we have time.
March 20th 6pm OWASP Meeting, Columbia MD
This month we will be holding our meeting in Columbia MD at Aspect Securities offices (address below). The meeting will start at 6pm and last to around 9pm or so (depends on the crowd).
The topic for the meeting will be presentation by Jeff Williams on his Enterprise Security API project. (quick overview below)
Securing Java EE Applications with the OWASP Enterprise Security API (ESAPI)
Jeff Williams, the CEO of Aspect Security and the volunteer Chair of the OWASP Foundation, will present the new OWASP Project he is leading -- the OWASP Enterprise Security API (ESAPI). ESAPI is an API and reference implementation designed to make it as easy as possible for web developers to address the most common web application security vulnerabilities, including those discussed in the OWASP Top Ten.
ESAPI defines a simple, well-structured, and obvious interface to all the classes and methods a developer needs to build a secure web application, and comes with a reference implementation and over 600 test cases. ESAPI includes numerous new security mechanisms that are simply not present in Java EE today, including intrusion detection! Correctness, completeness, and simplicity are the three primary design goals of ESAPI.
ESAPI provides a worked example of most security challenges faced by enterprise developers. Developers, architects, and application security specialists can use ESAPI as a baseline for what is expected in their applications. This presentation will cover the basic structure of the API, why using it represents a significant reduction in application security costs, and even why it makes projects more agile.
Look forward to seeing everyone there, so dont forget to set your
outlook/entourage/notes calendars!
Location information:
Aspect Security, Inc. 9175 Guilford Road, Suite 300 Columbia, MD 21046-2565 Main: 301-604-4882
February 5th 6pm Meeting, New Location!
This meeting will be held at a new location thanks to a new host Grant Thorton LLP.
Presentations
I will be giving a presentation on the intersection between web application security and the attackers mindset. The purpose of which is to drill home that web application security isnt just about SQL Injection, XSS, XSRF, and "web application compromises. My approach will be to outline various methods of abusing web applications to gain a foot holds onto networks as well as leveraging vuln's to "repurpose" existing web applications to the attackers whim. The ultimate goal of this presentation is to drill home the fact that web applications (and their insecurities) provide an attacker an amazing attack surface to leverage for various purposes, purposes which I will talk about. A few quick highlights include discussions on PHP/ASP* back door shells, PHP based IRC bots, XSS based Attack frameworks, Flash based attack frameworks, IDS evasion etc.
Location details
Location: 333 John Carlyle St Alexandria, VA 22314
The Day After
I want to thank everyone who attended as well as the two organizations that made yesterdays LIVE-O mini-con possible. If it was not for these two organizations the event would not have been nearly as enjoyable as it was.
MITRE HoneyClient Project Grant Thornton Aspect Security
I would also like to thank the presenters who put together the interesting topics and presented them to our chapter.
For all the presentations, notes, and thoughts of the attendee's and presenters you can use the following link.
Thursday Sept 6th LIVE O minicon!!
Well it looks like I have been able to finally secure a location for the LIVEO mini conference. The meeting will be held at 1:00pm at MITRE's McLean Va Offices in the MITRE 1 Building. (map to the location below)
If you haven't already signed up you must do so ahead of time! Feel
free to pass this link around to coworkers or friends who may be
interested in attending. Seating is limited to 75 people, and as such
we will not be able to take any more people once we have reached that
limit. If you are not able to come after signing up please use the
same link to cancel your RSVP for the meeting. This will free up a seat
for someone else to enjoy the awe inspiring presentations we have lined
up. ;)
List of presentations
Honeyclients and Malicious Web Servers - Kathy Wang - Mitre A malcode perspective on web application privacy - Blake Hartstein - iDefense Practical Web Privacy with Firefox - Chuck Willis- Mandiant A sneak peak at Jeff's new "Enterprise Security API" - Jeff Williams - Aspect Security/OWASP Digital Rights Management - James Stibbards - Cloakware
Please make sure to have your ID with you for checking in when you arrive.
Map/Directions to Mini Con location http://www.mitre.org/about/locations/mitre1_map.html
Thursday August 23rd 6pm Location Aspect Security, Columbia MD
I will be giving a presentation outlining some of the various "Rich Interactive Application" (RIA's) Frameworks that are being developed.
Here is the rough draft of the presentation.
Topics to go over
(My unofficial plan- YTBD) Offline Web Application frameworks : The fifth horseman? I will be going over the basics of the four major "off line web app frameworks" (aka webocalypse) Adobe AIR Google Gears Microsoft Silverlight Sun JavaFX Try to go over the differences of each framework, where they fit, and why I think they suck Point out potential weaknesses of each framework Write a group letter to all the developers explaining the coming "webocalypse" (Im joking of course)
Location Information
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
>From I-95:
* Exit 38 B : Rt. 32 West towards Columbia (1.5 miles) * Take the Broken Land Parkway exit * Turn left off the ramp onto Broken Land Parkway * Turn left at the light onto Guilford Road (0.5 miles)
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
We're on the third floor in Suite 300
Wednesday March 28th 6pm Columbia, MD
This meeting will be held at Aspect Security's offices in Columbia MD. The address is below. Food: As usual, geek food will be provided. This usually means pizza and soda.
Getting there: Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
>From I-95:
* Exit 38 B : Rt. 32 West towards Columbia (1.5 miles) * Take the Broken Land Parkway exit * Turn left off the ramp onto Broken Land Parkway * Turn left at the light onto Guilford Road (0.5 miles)
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
We're on the third floor in Suite 300
Meeting: Feburary 15th 6PM
Andrew van der stock will be giving a presentation on the following three topics.
OWASP Top 10 2007 Spring of Code 2007 an update on OWASP Guide 3.0 status
Watch this space as it will be updated as the meeting nears.
Location information
Our hosts have asked that if you are to show up for the meeting that you patiently wait in the first floor lobby for someone to escort you into the conference room that we will be using.
Here is the address:
- Arlington Center (NEW! Opened 7/17/06)
- 3434 Washington Boulevard
- Arlington, VA 22201-4508
- Phone: (703) 284-5000
Meeting: January 18th 6PM
Looks like we will have the following lineup for this months meeting.
This meeting will be held at Aspect Security's offices in Columbia MD. The address is below.
- Ed Tracy will be giving a brief presentation on the various Owasp Projects/Products.
- Jeff Williams will be giving a presentation on the recent PDF vulnerability and his released server side fix for it.
The fix can be found here [[1]http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE]
There has been plenty of happenings over the last month that should make for an awesome meeting. Expect to hear about the recent PDF issue! (with example attacks, snort signatures, server side fixes, etc)
Food:
As usual, geek food will be provided. This usually means pizza and soda.
Getting there
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
From I-95:
- Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
- Take the Broken Land Parkway exit
- Turn left off the ramp onto Broken Land Parkway
- Turn left at the light onto Guilford Road (0.5 miles)
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
We're on the third floor in Suite 300
December 14th Meeting Notes
I would again like to thank Eric Pascarello for presenting his Ajax security presentation to our chapter. For those of you who missed the meeting and would still like to see the presentation feel free to grab it from Eric's site below. I would also like to thank SRA International for providing the facilities and staff to help host the meeting. Stay tuned for next months meeting!!
http://www.pascarello.com/Presentation/
Meeting: December 14th 6PM
December Meeting Announcement
This OWASP meeting will be held at a new location in Arlington per the chapters request. Please note that this IS NOT a permanent shift in venue, but merely an attempt to include those chapter members who are not able to make it to Columbia on a regular basis.
Agenda
- Opening, introductions
- Presentation by Eric Pascarello: Investigating JavaScript and Ajax Security
- Possible "Unannounced" presentation
- Everything Else: Current Events, OWASP news, Industry News, Recent Hacks in the News, Closing, etc.
- BoF discussion on AJAX and AJAX security
Dont know who Eric is? Well here is a quick blurb I "liberated" from a website about him.
Eric Pascarello dissects Ajax security vulnerabilities
Eric Pascarello is the co-author of "Ajax in Action" (Manning Publications, October 2005, and the author of "JavaScript: Your Visual Blueprint for Building Dynamic Web Pages", 2nd Edition (Wiley, October 2004). Pascarello is a 2002 Graduate of Penn State University with a degree in mechanical engineering. He is also a "bartender" on JavaRanch.com. In this interview he talks about Ajax security issues, the need for server-side validation and the Ajax worm released last October on MySpace.com
I am also trying to work out another presentation that will fit our general "theme" of application security as well. (more details to come!) And as always I will try to go over the latest and greatest application security news. (think myspace and quicktime)
Location information
Our hosts have asked that if you are to show up for the meeting that you patiently wait in the first floor lobby for someone to escort you into the conference room that we will be using.
Here is the address:
- Arlington Center (NEW! Opened 7/17/06)
- 3434 Washington Boulevard
- Arlington, VA 22201-4508
- Phone: (703) 284-5000
Meeting: March 23rd
March Meeting Announcement
Our next meeting is on Thursday March 23rd at 1800 hours in the offices of Aspect Security.
This is going to be a technical meeting focusing on AJAX Security.
In case you weren't aware, AJAX is a clever use of existing technologies to provide richer interfaces on the web (think Google Maps). It's growing in popularity and "buzz", so be sure to make this meeting and learn all you can about it.
If you have some AJAX science you'd like to drop on us, then email me directly at mfisher at spidynamics dot com
The Agenda:
- Opening, introductions
- Presentation by Rick Pries: An introduction to AJAX
- Overview and Review of the new OWASP AJAX Security Guide
- BoF discussion on AJAX and AJAX security
- Everything Else: Current Events, OWASP news, Industry News, Recent Hacks in the News, Closing, etc.
Food:
As usual, geek food will be provided. This usually means pizza and soda.
Getting there
Aspect is located at 9175 Guilford Road (Suite 300) in Columbia. Driving directions are:
From I-95:
- Exit 38 B : Rt. 32 West towards Columbia (1.5 miles)
- Take the Broken Land Parkway exit
- Turn left off the ramp onto Broken Land Parkway
- Turn left at the light onto Guilford Road (0.5 miles)
After a sharp left, enter the parking lot at 9175 Guilford Road. [Note: if you go under the bridge, you've gone too far]
We're on the third floor in Suite 300
Unfortunately being out in the far 'burbs there is very limited public transport.
If you need help getting to the meeting, try emailing the list and asking for a lift.
There are two MARC stations within a twenty minute drive, and the MTA contracted commuter busses drop off within 2 miles of the offices.
Wireless:
I am please to announce that we may just have wireless access for the meeting. No promises, but if you're the type who likes to look stuff up realtime then you may want to bring the laptop.
If we *are* lucky to enough to get wireless access, there will be a serious "no playing around" policy in place, and anyone breaking it will be kick/banned for life, y'all hear ?
December Meeting Notes
[Note: there was no meeting in November due to the holiday crunch. We decided to hold just one meeting in December].
Greetings from the Northern side of the Beltway. I wanted to send out a note to everyone letting them know how great the meeting was last night. The turn out was the perfect size for some "fireside chats".... It was some of the most technical conversation I've had in a long time that didn't involve an instant messenging client.
First of all, Thanks again to the ever-generous Aspect Security whom provided not only meeting space, but pizza and a chaperone as well. I'm glad to say that Chuck was there too .. Chuck is one of our most highly technical meetings, and shows up every time, on time.
For those of you who didn't make it, here's what we discussed. Note that I said *discussed*; not presentations. The smaller size of this meeting really afforded some great technical conversation and the loose interactive format was spectacular. If you missed it , well then you missed out.
- Susan Suskin gave us her thoughts on the AppSec conference for those you who missed the conference. Apparently the majority of the conference rocked, except for some lam3r presentation on web application worms (mine) .
- NIST's SAMATE project. This is a government funded project that attempts to a) gain serious expertise in app sec to the point of being able to 2) define key performance capabilities of app sec tools, 3) define metrics for those capabilities, 4) create test environments against those metrics, and then 5) evaluate and report on all app sec tools. Discussion of this spun off of the discussion of the conference.
- **The recent GMail hack**. This was really well done (props Andre ) . Instead of doing a *presentation* on it, shots from the original 'explanation' site was passed around and we all deciphered it together, making a true learning and discussion opportunity. Unfortunately this also mitigated our ability to mock his lamer slides, but I secretly mocked his lamer xeroxing capabilities. I'm just kidding of course: Andre xerox's like a champ. I think he's certified in it or something.
- **A Tutorial Walk-Through of SQL Injection and Blind SQL Injection** along with *nasty evasive destructive SQL Injections*, followed by the Web App Sec comedy hour. Those of you who missed the AppSec conference and also missed the meeting last night missed all the humour. Plus, you'll never understand how astute Donald Rumsfeld is with input validation. [ If you this far, then you get an extra slice of pizza next meeting ]. My next presentation will be stone-cold serious, but equally lame. My presentations should improve once I finish my PowerPoint certification study class.
- ShmooCon ! The coolest conference you'll find in the area. Be there are be square. http://www.shmoocon.org/ If you are already registered for the conference and aren't staying at the Wardman, , then please consider booking a room - they need this to lock in the hotel for next year. I'm local, and I have a room !
- **AJAX** - what it is, what is isn't, who's using it, how it works, and the security implications of it. We all agreed that none of us know enough about it and we're looking for someone with some real expertise to educate us on it. I for one am willing to chip in some bucks for a serious education on it. If we all chipped in, we may be able to get someone to give us a couple hours of tutorial on it. Thoughts ?
Next Meeting:
For our next gig, we're trying to get none other than a Special Agent from the Federal Bureau of Investigations to talk to us about the real world legal and prosecutorial environment in relations to cyber intrusions. We will also discuss the latest and greatest hacks, vulns and exploit techniques.
We'd like to see if there's a way to get internet access for the attendees as well. For instance, last night we really could have used a Spanish L33t to English L33t Dictionary while deciphering the Gmail hack. It would be great for doing quick googles, demo's etc. If there are any ideas on how we could secure some wireless that would not place us on the host's network, then please bring it. Netstumbling the office doesn't count.
So now you know, and knowing's half the battle.
- Matt
Tuesday October 25th OWASP Meeting Agenda
The next OWASP DC chapter meeting will be held Tuesday, October 25th at 6pm. The meeting will be held in Aspect Security's office in Columbia MD.
- Aspect Security, Inc.
- 9175 Guilford Road, Suite 300
- Columbia, MD 21046-2565
- Main: 301-604-4882
- Fax: 443.583.0772
Directions: http://www.aspectsecurity.com/contact.html
Meeting Agenda
6:00pm – Initial Meeting kickoff 6:30pm – Special Guest Presentation (Steve Elky, see below for more information) 7:15pm – Pizza / General Discussion 7:30pm – Discussion on AppSecDC 2005 (Jeff Williams will be presenting) 8:15pm – Discussion on Myspace.com “worm”
Special Guest Presentation
This week we have a special guest speaker Steve Elky. Steve will be discussing the incorporation of security and Certification and Accreditation into the Software Development Life Cycle. A brief overview of the presentation is below.
Certification and accreditation (C&A) mandate Certification Accreditation C&A and the Software Development Life Cycle (SDLC) Initiation Development/Acquisition Implementation Operations/Maintenance Disposal Key Roles Independent Approach to C&A Integrated Approach to C&A
About Steve Elky
Steve Elky is the Technical Director for Information Security at Software Performance Systems, a software company specializing in e-government solutions. Mr. Elky has his CISSP, CISM, ISSAP, ISSMP, MCSE, CNE, GCNT, CCNA and CCSA as well as a B.S. from the University of Baltimore. Mr. Elky acts as a security advisor to various company clients as well as helping company developers determine and meet security requirements. Mr. Elky is currently assisting the Library of Congress in the design and implementation of their security program.
Discussion and review of AppSecDC 2005
Jeff Williams will be reviewing and discussing the happenings of AppSecDC 2005 for those of us who were not able to attend the conference.
Discussion on Myspace.com “worm”
If time permits we will be reviewing the recent myspace.com “worm”, both at a technical level as well as a higher level conceptual view including “what if” scenarios.
Next Meeting - Tuesday, September 27 @6pm
Everyone is welcome to join us at our monthly chapter meeting. It's held on the fourth Tuesday of each month at 6pm. If you have any items you'd like others to talk about, or if you'd like to make a presentation, post your ideas to our mailing list.
OWASP DC-Maryland Chapter Meeting
The Open Web Application Security Project, DC-Maryland Chapter holds meetings on the fourth Tuesday of each month.
LOCATION:
SOURCEfire 9770 Patuxent Woods Drive Columbia, MD (Meeting may be in rear building, 9780.)
AGENDA:
The agenda for this month's meeting is:
- Meet & Greet(6pm)
- PIZZA
- Group Presentation (7pm)
- Jeff Williams presents the OWASP Guide 2.0
- Top Ten feedback survey - Help us test the survey before it's used at the October OWASP conference.
See you there!
Meeting Notes - 7/19/05
At the July 19th meeting, the DC-Maryland chapter took on the topic of the "broken top-ten". We spent 2 and a half hours and digressed many times. Often getting lost in the weeds. We did have some useful ideas (I do apologize to the rest of the chapter as these thoughts are largely influenced by my opinions -ed tracy).
After discussing the problems with the many uses of the top ten, we asked what does the industry need. The industry needs awareness and guidance. These are two different things. We will admit it has been great for awareness, aka marketing. And, a concern of changing the top ten is given: a radical change in the top ten is likely to diminish its reputation and its effectiveness at raising awareness.
Now back to guidance (the other thing the industry needs)...The top ten is being used for education, security review checklist, design/implementation guide, etc. Well, the industry needs these things in very concise form. We should give them that. OWASP should produce these (I know some of it's been produced al y). These shouldn't be top tens or marketed as top tens, as ten is not going to cover everything and having ten top-tens is silly.
The key is to put a big disclaimer in The top ten that advises people not to use it for review checklist, design guide, etc. The disclaimer should go on to point people in the right direction for guidance for each of those tasks. We believe the top ten should warn people that it's not fit for those other tasks. Otherwise, they think it is and that creates "FUD."
Training Session Notes - 6/7/05
We held a training session for web app security in early June. About 15 people trickled in at all hours.
Thanks Aspect Security, for providing installation CDs with WebGoat, WebScarab, and Paros.
As a group, we did some of the WebGoat exercises using the WebScarab application proxy.
Thanks to Chuck for demonstrating bean scripting in WebScarab. It's used to automate testing.
Thanks to Matt Fisher for demonstrating Spi Dynamics' WebInspect and its web proxy capabilities.
The session was held at:
- SOURCEfire
- 9770 Patuxent Woods Drive
- Columbia, MD
Meeting Notes - 5/24/05
Thanks to Weilin Zhong for running this meeting.
Weilin led a discussion about security for Web Services. As of mid-august, someone is still trying to sanitize the presentation she gave so that it can be published here.
The meeting was held at:
- SOURCEfire
- 9770 Patuxent Woods Drive
- Columbia, MD
Meeting Notes - 4/26/05
Thanks to Bruce Potter for discussing a comparison of secure development on different operating systems.
- App Sec News
- Sorry, this month's notes are lost.
- App Sec News
The meeting was held at:
- SOURCEfire
- 9770 Patuxent Woods Drive
- Columbia, MD
Meeting Notes - 3/22/05
Thanks again to Aspect for providing pizza!
- App Sec News
- SHA-1 defrocked (http://www.financialcryptography.com/mt/archives/000355.html)
- XSS Proxy tool described by Andre Ludwig (http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt)
- Takes XSS vulnerability and exploits the hell out of it
- Potential demonstration in the future
- Ethics Discussion
- Harvard applicants rejected for "hacking" application website (http://www.pcworld.com/news/article/0,aid,119938,00.asp)
- Everyone was surprised at the many different opinions of culpability people had
- Vulnerability Sharing Clubs like this one: http://www.immunitysec.com/services-sharing.shtml
- Harvard applicants rejected for "hacking" application website (http://www.pcworld.com/news/article/0,aid,119938,00.asp)
- Chapter Direction Discussion, Presentation Ideas
- Are we advancing webappsec, teaching it, or both? Possible worksessions at future meetings to allow both to coexist
- Inno Eroraha suggested cross-polinating with other focus groups in the DC area, ideas?
- Andre Ludwig suggested a demo on the XSS Proxy tool, dates?
- Matt Fisher suggested revisiting the Secure Model Architecture discussion, volunteers to get this started?
- Matt Fisher suggested Absinthe and other SQL testing tools demonstration, dates?
- Joe Bui suggested an outreach session held in DC to reach the government audience. Joe is checking for space availability at his office downtown.
- Several people suggested having a Northern VA meeting. That was countered with the idea of an additional chapter. If someone in VA (or any other area near DC) would like to move one of our meetings to VA, please let me know. I think it's a good idea.
- Penetration Testing Lab
- Introduced the OWASP Penetration Testing Checklist (http://www.owasp.org/documentation/testing/application.html)
- Introduced WebScarab (http://www.owasp.org/software/webscarab.html)
- Introduced WebGoat (http://www.owasp.org/software/webgoat.html)
- Gil Prine and Jeff Williams recommended the book, "Innocent Code" by Sverre H. Huseby
- App Sec News
This meeting was held at:
- Aspect Security
- 9175 Guilford Rd
- Columbia, MD
Meeting Notes - 2/22/05
No meeting this month due to chapter organizers being out of town. See you next month!
Meeting Notes - 1/25/05
This month's meeting saw our biggest turnout yet, with over 20 attendees. Thanks to everyone for coming, thanks to Dave Wichers for his presentation, and thanks to Aspect for providing pizza, soda and snacks!
WebScarab and WebGoat presentation by Dave Wichers
- WebScarab, written by Rogan Dawes and donated to OWASP, has been around about five years in one form or another (please let Rogan know if you use it!)
- Current version at http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823
- Includes a man-in-the-middle proxy, HTTP request/response editor, filtering traffic logger, session ID analyzer, passive web spider, automatic response modifier, encoder/decoder/hasher, and more; it’s also scriptable with Java Beanshell
- Dave took us through several of the WebGoat lessons using WebScarab to manipulate traffic and explained common vulnerabilities like cross-site scripting
- We were showed how to use WebScarab to intercept browser requests and change it before sending it to the server
- Discussed some authentication and session management methods such as HTTP Basic Auth (bad), Tomcat JSESSIONID (good), using SSL only for the login (bad), etc.
- WebScarab will point out which pages on your site set cookies
- It will show you both raw and formatted HTTP requests and responses and show you a hex editor-like view of binary data such as images
General Discussion
- Discussed the dilemma of accidentally finding a vulnerability on a public site...do you disclose or not? Will they think you’re a cracker or a saint...or just ignore you?
- Discussed what other tools people use, commercial and free: Appscan, WebInspect, Sleuth, Nstealth, Achilles, Odysseus, Paros, etc. Some limited use of both the commercial and free scanning tools was identified.
- Discussed web application "firewalls". No one in the group indicated they were using any of these products.
- DISA has a checklist for application security (called the Application Security Checklist) at: http://csrc.nist.gov/pcig/cig.html, and NIST is working on the FISMA guidelines, but until there’s a federal regulation on secure development it will be hard to convince them to (pay to) do it
- Discussed the conundrum of developers having no motivation to think security; mentioned putting security requirements in the business/software requirements; mentioned the OWASP secure software contract annex (http://www.owasp.org/docroot/owasp/misc/contract.doc)
- Discussed the new application code scanning tools, Ounce Lab's Prexis, Fortfy, and Klocwork were all mentioned. Some members had received briefings on them but no significant use was discussed.
- Since the meeting, some articles about these tools have been identified and are included here for reference:
- Here's a recent (Jan 2005) article about Fortify: http://www.infoworld.com/article/05/01/14/03TCfortify_1.html
- Here's an older (Jul 2004) article about a previous release of Ounce's Prexis: http://www.sdtimes.com/news/106/story12.htm
- A summary of mostly open source application security code analysis tools is available here: http://sardonix.org/Auditing_Resources.html
- A general article about the emerging web app security capabilities: "Emerging web app security services and products bring source code vulnerabilities to light" http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art975,00.html
- And in the same Information Security mag article is a summary chart of various product and service vendors in the space: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art978,00.html
- The Vendors' pages for these products are at:
- Since the meeting, some articles about these tools have been identified and are included here for reference:
Note: OWASP is not endorsing these products in any way. This information is simply provided for the interest of the members of the DC Chapter.
This meeting was held at:
- Aspect Security
- 9175 Guilford Rd
- Columbia, MD
Meeting Notes - 12/28/04
No meeting this month due to the holidays. Happy holidays!
Meeting Notes - 11/23/04
This month's meeting was again held in the first floor conference room at Aspect Security, the chapter's sponsor. A couple "regulars" couldn't make it due to the holiday but it was still well-attended.
IMPORTANT: Future meetings will continue to be on the fourth Tuesday of the month--so the next meeting will be on December 28, again at 6pm. As long as Aspect can reserve the conference room for us, we'll continue meeting there.
Minutes: A slightly smaller group allowed us to keep discussion on topic more easily this month.
- GEMS Demo: Demonstration of the insecurity of Diebold's General Election Management System (GEMS). See http://www.equalccw.com/dieboldtestnotes.html for more details.
- DropMyRights: Discussed use of dropmyrights.exe when you're running as administrator but want to run your email and browser with lower privileges. Just create a shortcut that contains "C:\Program Files\dropmyrights\DropMyRights.exe" "C:\Program Files\Internet Explorer\iexplore.exe" and use that instead of directly invoking the browser. See http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp for the tool and a short article.
- OWASP Secure Software Contract Annex: Jeff Williams prepared a draft of this document as a starting point for helping people write software development contracts that include security. We discussed how this contract emphasizes the lifecycle steps, whereas the Ounce Labs version emphasizes specific vulnerabilities. We also discussed the fact that the contract includes "requirements for the requirements" instead of trying to cover everything. The document needs more work on the "teeth," i.e. how to ensure that each element is specific enough to audit. Also, it needs some more work on including risk-related activities before the requirements. The plan is to incorporate a few comments, get approval from the OWASP-Leaders, send it out to WebAppSec and stand up an OWASP project to maintain the document.
- The OWASP Mission: The contract discussion led into questions about OWASP's constituency and how we are serving them. One view is that OWASP serves developers and the contract effort is not exactly on target. The other view we discussed is that OWASP is focused on the problem of insecure software, and it should do whatever is necessary to raise awareness of the issue. We also discussed OWASP's role as a platform for the application security community. Is OWASP an "if you build it, they will come" model?
- Open Letter and Requirements Project: We discussed the Open Letter and how it looks like the various product vendors will be working with OWASP to produce a strong list of requirements for all of web application security.
- Reference Architectures: We discussed the concept for this project again, and examined Microsoft's Improving Web Application Security (http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/threatcounter.asp). While an impressive effort, it seems like there is a need for platform independent documentation that covers the threat, requirements, and architecture levels, but doesn't go into the source code level.
- J2EE Filters: Jeff gave a bit of background on how J2EE Filters works. Anil pointed out that this is very similar to how HTTP Handlers work in the .NET environment. We then discussed the types of things that J2EE Filters can do. Jeff showed how to write filters that implement a request rate throttle, an input sanitizer, a certificate validator, an SSL-only verifier, and several other functions. Some ideas raised by the group included a logging filter and a filter to verify that responses with set-cookie headers should only be sent over SSL.
This meeting was held at:
- Aspect Security
- 9175 Guilford Rd
- Columbia, MD
Meeting Notes - 10/28/04
This month we decided to meet in a conference room at Aspect Security, the chapter's sponsor. Aspect was generous enough to provide sodas, chips, and the most delicious brownies anyone ever tasted. Thanks!
IMPORTANT: Future meetings will be on the fourth Tuesday of the month--so the next meeting will be on November 23, again at 6pm. As long as Aspect can reserve the conference room for us, we'll meet there again.
Minutes: We tried to keep the discussion on three main topics: whitepaper topics, a concept for a "webappsec dashboard," and J2EE filters.
- Whitepaper topics: Jeff has a list of subjects he'd really like to whitepapers about, but doesn't have time to write about himself. If anyone would like to volunteer to write a whitepaper to be posted on the OWASP site, email Jeff. Some of the topics that sparked a lot of discussion and interest were:
- The asymmetric/broken market for security: Consumers can't determine if software is secure so they won't pay more for the claim of security; producers can't charge more for more secure software so they don't make it more secure. How do we get vendors to write secure code? How about for libraries--are the circumstances different? A related but possibly separate topic is, who has the burden of proof--the developer to prove software's secure, or the consumer to prove it's insecure?
- Secure web app architectures: How do you draw security or secure web app architectures? We're not so good at telling customers where to do security things in the data flow and n-tier diagrams. Can we do this with UML? Data flow diagrams? How about a "reference architecture" for authentication as an example? This may turn out to be a Chapter project.
- How to decide what to fix first: Is there a quick and easy way for a company with a large number of web apps to determine where they should begin with assessments? If they don't know about any vulnerabilities in any sites, which do they look at first? Maybe we can come up with a short questionnaire for each web app to risk rank them relatively, in the style of The Joel Test. This may also become a Chapter project.
- Mechanisms, vulnerabilities, and threat models: How do people threat-model attacks? Do they even do it? Could we create a standard suite of threat models for any generic web app?
- Webappsec requirements: Are people putting security requirements into their business requirements for projects involving web apps? Can we create a standard list of security requirements people can paste in to their project docs?
- Webappsec dashboard: The concern is that CISOs have no way to get their arms around the state of web app security in their environment. They need a sort of dashboard where they can see metrics and statistics about all their web apps all in one place. Something like this may have to be a tool/software, and OWASP really isn't in the business of writing tools/software.
- J2EE filters: We didn't have time to discuss this but attendees were interested so it will be on the agenda for the next meeting. Jeff quickly demonstrated a tool to analyze JAR files and show what calls they make.
- General discussion: More and more Local Chapters are springing up--what kinds of things can chapters contribute? What should they be expected to contribute?
- Whitepaper topics: Jeff has a list of subjects he'd really like to whitepapers about, but doesn't have time to write about himself. If anyone would like to volunteer to write a whitepaper to be posted on the OWASP site, email Jeff. Some of the topics that sparked a lot of discussion and interest were:
This meeting was held at:
- Aspect Security
- 9175 Guilford Rd
- Columbia, MD
Meeting Notes - 9/30/04
A good time was had by all.
IMPORTANT: Future meetings will be on the last Thursday of the month--so the next meeting will be on October 28, again at 6pm. If anyone has a good suggestion about where to meet, please send it to the list.
Minutes: None recorded.
This meeting was held at:
- Rocky Run Tap & Grill
- 6480 Dobbin Center Way
- Columbia, MD
Meeting Notes - 8/25/04
Thanks to everyone who showed up last night to the first OWASP Washington Local Chapter meeting. It was great to finally put some faces to names, meet some local application security folks, and the Guinness was nice too!
IMPORTANT: Meetings will be on the last Wednesday of the month--so the next meeting will be on September 29, again at 6pm. This time we're going to meet in Columbia, MD at a place to be determined soon. If anyone has a good suggestion about where to meet, please send it to the list.
Minutes: We had some wide-ranging discussions that touched on scanning, brute-force attacks, validation, web app firewalls, and new projects for OWASP.
- Brute force attacks: We discussed some schemes for handling brute force attacks on websites, some techniques for making a site hard to scan (and why some scanners don't care), and we discussed the combinatorics of generating productive password lists. We also got a demo of Matt Fisher's password generation utility.
- OWASP and awareness: We had a long discussion about things that OWASP can do to help raise awareness about web application security. Some promising approaches included making some webinars and offering them on the website, and providing more practical stuff (tools, libraries, templates) and not focusing on the academic.
- OWASP image: We discussed some ways that OWASP could build on the "platform" provided by the new portal. We could move the webappsec list to OWASP from sourceforge, maybe create some different lists (newbie, advanced, SQL injection, etc.). We could create some discussion forums.
- Metrics: We talked about the new metrics project and what kinds of metrics would be the most useful to the appsec community.
- Promoting adoption: There were some interesting ideas about things OWASP could do to advance the adoption of good appsec practices. One was to get some buy-in from the FBI (a la SANS) or another high-power agency. Matt Chalmers and Chris Burton are going to pursue a few leads to see if there's interest.
This meeting was held at:
- Mayorga Cafe
- 8040 Georgia Av
- Silver Spring, MD